b'FDIC\xe2\x80\x99s Mainframe Security\n\n(Report No. 04-037, September 21, 2004)\n\nSummary\n\nInternational Business Machines (IBM) Business Consulting Services (hereafter referred to as\nIBM), an independent professional services firm, was engaged by the Federal Deposit Insurance\nCorporation (FDIC) Office of Inspector General (OIG) to support its efforts to satisfy reporting\nrequirements related to the Federal Information Security Management Act of 2002.\n\nThe objective of the audit was to determine whether the FDIC has adequate mainframe\nmanagement, operational, and technical security controls. IBM reviewed the adequacy of the\nDivision of Information Resources Management\xe2\x80\x99s (DIRM) policies, procedures, practices, and\ntools related to mainframe security.\n\nIBM concluded that the FDIC has established and implemented management, operational, and\ntechnical controls that provide reasonable assurance of adequate mainframe security. IBM also\nfollowed up on audit recommendations in the Government Accountability Office (GAO)\n(formerly the General Accounting Office) Report No. 04-629, Information Security: Information\nSystem Controls at the Federal Deposit Insurance Corporation, dated May 28, 2004. IBM\nfound that the FDIC has made progress in its efforts to strengthen mainframe security, update\nsecurity policies and procedures, and increase employee security awareness.\n\nFurther, DIRM has completed the required certification activities in preparation for system\naccreditation. These activities include completing a mainframe security plan; conducting a risk\nassessment and preparing the final risk assessment report; performing a self-assessment of\nmainframe management, operational, and technical controls; and completing a Plan of Actions\nand Milestones.\n\nIBM did find one aspect of mainframe security that could be improved.\n\nRecommendation\n\nIBM recommended that DIRM establish standards and procedures related to stored system\ninstructions.\n\nManagement Response\n\nOn September 14, 2004, the Director, DIRM, provided a written response to the draft report.\nDIRM management concurred with and proposed actions that are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open for\nreporting purposes.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c'